GHSL-2024-263: Null pointer dereference in parse_lrc in GStreamer - CVE-2024-47835

Coordinated Disclosure Timeline

• 2024-10-07: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892
• 2024-10-09: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Null pointer dereference in parse_lrc (GHSL-2024-263)

A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c.

The parse_lrc function calls strchr() to find the character ‘]’ in the string line. The pointer returned by this call is then passed to g_strdup().

However, if the string line does not contain the character ‘]’, strchr() returns NULL, and the following call to g_strdup(start + 1) leads to a null pointer dereference.

static gchar * parse_lrc (ParserState * state, const gchar * line){
...
  start = strchr (line, ']');
  if (start - line == 9)
    milli = 10;
  else
    milli = 1;
...
  return g_strdup (start + 1);
}

Impact

This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV).

CVE

• CVE-2024-47835

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-263 in any communication regarding this issue.